I have a HTML page:
<form method="post" action="Servlet" name="frm">
Enter your name: <input type="text" name="name" id="name" /><br/>
<input type="submit" name="sub" value="Submit" />
</form>
A servlet will get value from that HTML page but I want to a servlet doesn’t accept from external page other than this HTML page.
If the request doesn’t come from the HTML page, a warning message would be shown saying that the user are not allow to access the page this way. What should I do?
There are so many ways to achieve this
Way 1:
Place the following code in the sevrlet
if(new URI(request.getHeader("referer")).getPath()=="static html url")
{
//allow
}
else
{
//redirect to some other page
}
Way 2:
When the users logs in for the first time generate a random token and keep it in a session variable
When you load this particular html page pass the session variable as query string
When you post the form to servlet post this value along with other values
Compare the values from session and the value received through post if both are equal allow else transfer the page to logout or some other page/
Related
I would like to write a script that can collect data from the router, in this case 5268AC. So far, I've been able to use response.get() to get information from URLs that do not require device access code to see information. To get information about Wifi, for example, the default SSID, I need to enter the access code located on the router via the browser. I keep getting error 500 when trying request.post(url).
url="http://192.168.1.254/xslt?PAGE=C_2_1"
From inspection, I believe this is the form I'm trying fill. The key value is ADM_PASSWORD.
<h2>Login</h2>
<p>Device access code required. Please enter the device access code, then click Submit.</p>
<form name="pagepost" method="post" action="xslt?PAGE=login_post" id="pagepost">
<input type="hidden" name="NONCE" value="0abc59f54121398" />
<input type="hidden" name="THISPAGE" value="" />
<input type="hidden" name="NEXTPAGE" value="C_2_1" />
<input type="hidden" name="CMSKICK" value="" />
<div>
<div class="form-group">
<label for="ADM_PASSWORD">Access code</label>
<span>
<input type="password" id="ADM_PASSWORD" name="ADM_PASSWORD" size="16" maxlength="16" autofocus="autofocus" required="required" autocomplete="off" />
</span>
</div>
</div>
<p align="right">
<input type="submit" class="button" value="Submit" />
I tried this but got 500 status error.
payload = { 'ADM_PASSWORD':'*access code*' }
response = requests.post(url, headers=headers, data=payload)
Is there a way to be able to collect information via requests instead of using GUI?
First in Chrome/Firefox you can use DevTools (tab: Network) to see what browser sends when you login.
Form has action="xslt?PAGE=login_post" so you should send to
url = "http://192.168.1.254/xslt?PAGE=login_post"
It is relative path - so if you would open page ie. http://http://192.168.1.254/login/ then it would need
url = "http://192.168.1.254/login/xslt?PAGE=login_post"
You have to send all input which you see in form - especially hidden.
Sometimes it may need even submit.
And you should use name= as key, not id=
payload = {
'NONCE': '0abc59f54121398',
'THISPAGE': '',
'NEXTPAGE': 'C_2_1',
'CMSKICK': '',
'ADM_PASSWORD': '*access code*'
}
If you use post() with data= or json= then it should automatically set correct value in Content-Type and Content-Length and you don't have to set it in headers.
You may also first run get() to page with form because it may set cookies which server/device may also check.
Problem can be only if page uses JavaScript to generate some extra data in form and it would need to use Selenium - but it would need to write all with Selenium
Sometimes I send request to https://httpbin.org/post and it sends me back all headers, cookies, post data which it get from me and I can compare it with data which I see in DevTools.
Evetually I use local proxy server Charles and use it in browser and in Python to see if code sends the same data as browser.
In my web forms project (a forum) I have a form that is accessed through a link from another page, a link which includes parameters. for example:
EditPost.aspx?mid=0
When the page is loaded, the form hasn't yet been submitted and Request.QueryString contains the URL parameters I loaded the page with. However, after I send the form, Request.QueryString conatins the values of the form fields. This is a problem because I need the URL parameters after the form is sent.
The question is, how do i make the page send me those URL parameter with the form information?
If I'm approaching this wrong, and I'm supposed to keep the URL parameters from when the page is first loaded, let me know how.
Thanks!
Edit:
<form action="" id="f_editComment" name="f_editThread" method="post" onsubmit="return true;">
<%=ThreadTitle %>
<textarea id="body" name="body" runat="server"></textarea>
<input type="submit" id="submit" name="submit" />
</form>
I need to submit this form (preferrebly using cURL):
<form method="post" action="results.asp" name=FrontPage_Form1 onSubmit="return true">
<input name="regno" size="7" maxlength=7>
<input type="submit" name="B1" size="15" value="Submit">
</form>
This form is on a website and works well there, redirects to page http:website//results.asp and shows the information.
BUT if I download this html form and open it in my local browser and submit, it does not work
the results.asp page says 'Access denied' in html page generated by the asp page.
Additional information:
- when the html page is on the same server: entering a wrong 'regno' results in a page which says exactly that
- Upon opening this form locally, it always says, access denied.
Please let me know if any of this is not clear.
If you open an html file into your local browser and then try to post to another page without the full URL, then it will look in the same directory for that file, which I imagine doesn't exist since you don't have access to it. You need to enter the full path in the form action, like so:
<form method="post" action="http://www.resultsserver.com/results.asp" name=FrontPage_Form1 onSubmit="return true">
I have an ASP form that allows for a database to be searched. The form has a search box (id = street) where people enter their street name and the form will provide a response.
I had a standard HTML form on a bog-standard page on a different website that passed the street variable to the form and the ASP form grabbed this from the URL and this worked fine.
We have since had to update the form to place session data in the URL rather than in a cookie but sadly now the form on the bog-standard page no longer works. The variable does not seam to be recognised by the form.
The format of the sessioned URL is http://www.adomainname.com/(S(mbta4i55vubtxn55gnzhdt55))/form/search.aspx
<form action='http://www.adomainname.com/form/search.aspx' method="post">
<input type="text" value="High Street" id="street" name="street" />
<input type="submit" />
</form>
Has anyone had this issue?
I'm not clear about what you're trying to do yet, but I'll take a shot at the answer...
If you want the street in the URL, change the method to "get".
Is it possible to post a form from one MVC site so that it invokes the POST action in a controller on another site ? I can do a GET easily, but a browser redirect is always a GET as per my understanding and I am unable to invoke the target site's POST action.
e.g. http:/siteA.com/test invokes http://siteB.com/result/signin ... in the ResultController, the Get version of the "SignIn" action gets invoked, but I need the "Post" version to be invoked as I need to pass in parameters in the POST header.
Currently I am resorting to using a GET and am passing params. using the query string which is not ideal for my scenario. Any help here would be appreciated.
You could POST using a simple form:
<form method="post" action="http://othersite.com/controller/action">
<!-- some input fields containing the values to post -->
<input type="hidden" name="param1" value="value1" />
<input type="submit" value="Post to other site" />
</form>
I used AJAX to invoke the target and bundled in the necessary parameters to post in there.